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Claims 



1 . (original) A method for implementing an intrusion detection system in a network, 
comprising: 

receiving a request at a software agent program to initiate intrusion detection services 
on a remote computer; 

installing intrusion detection software on said remote computer via said software 
agent program; and 



executing said intrusion detection software on said remote computer via said software 
agent program. 

2. (original) The method of claim 1 fiirther comprising: 

receiving a request to terminate intrusion detection services at said software agent 
program. 

3. (original) The method of claim 2 further comprising: 
monitoring for fulfillment of a stop condition. 

4. (original) The method of claim 3 wherein said stop condition is based on network traffic 
conditions. 

5. (original) The method of claim 3 wherein said stop condition is an expiration time. 

6. (original) The method of claim 1 further comprising the step of: 
receiving notification of a network intrusion. 

7. (original) The method of claim 6 further comprising the step of: 
selecting said remote computer from a plurality of eHgible computers. 
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8. (original) The method of claim 7 wherein said selecting step is accomplished b.ased on a 
network map. 

9. (original) The method of claim 7 wherein said selecting step is accomplished based on a 
knowledge base. 

10. (original) The method of claim 1 wherein said request is verified using a cryptographic 
authentication scheme. 

11. (original) The method of claim 1 wherein said request includes a stop condition 
indicating when to stop executing the intrusion detection software. 

12. (original) The method of claim 1 1 wherein said stop condition is an expiration time. 

13. (original) The method of claim 1 1 wherein said stop condition is based on network 
traffic conditions. 

14. (original) The method of claim 7 wherein said request is verified using a cryptographic 
authentication scheme. 

15. (original) A method for implementing an intrusion detection system on a computer 
cormected to a network, comprising: 

receiving a request to become an intrusion detection platform fi"om a remote network 
location; and 

executing said intrusion detection software. 

16. (original) The method of claim 15 fiirther comprising: 
installing intrusion detection software on said computer. 

17. (original) The method of claim 15 wherein said request includes a stop condition 
indicating when to stop executing the intrusion detection sofl^vare. 
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18. (original) The method of claim 17 wherein said stop condition is an expiration time. 

19. (original) The method of claim 17 wherein said stop condition is based on network 
traffic conditions. 

20. (original) The method of claim 17 further comprising the step of: 

when said stop condition is fulfilled, ceasing execution of said intrusion detection 
software. 

21 . (original) The method of claim 20 wherein said request is verified using a cryptographic 
authentication scheme. 

22. (original) The method of claim 20 further comprising the step of 

when said intrusion detection software has ceased executing, un-installing said intrusion 
detection software. 

23. (original) A system for detecting intrusions in a computer network comprising: 
a plurality of computers executing software agents; 

an intrusion detection server; and 
a database, 

wherein said intrusion detection server sends a request to execute intrusion detection 
software to a software agent at at least one of said plurality of computers when intrusion 
detection services are needed based on infomiation contained in said database. 

24. (original) The system of claim 23 wherein said intrusion detection server increases the 
number of said plurality of computers executing intrusion detection software when a network 
intrusion is detected. 
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25. (original) The system of claim 23 wherein said intrasion detection server changes the 
number of said plurahty of computers executing intrusion detection software when the level of 
network traffic changes. 

26. (original) The system of claim 23 wherein said intrusion detection server changes the 
number of said plurality of computers executing intrusion detection software depending on the 
time of day. 

27. (original) The system of claim 23 wherein said database contains information about the 
plurality of computers. 

28. (original) The system of claim 27 wherein said information includes a map of said 
computer network. 

29. (original) The system of claim 23 wherein said database contains a knowledgebase. 

30. (original) An article of manufacture comprising a computer-readable medium having 
stored thereon instructions adapted to be executed by a processor, the instructions which, when 
executed, define a series of steps to be used to perform network intrusion detection, said steps 
comprising: 

receiving a request at a software agent program to initiate intrusion detection services on 
a remote computer; 

installing intrusion detection software on said remote computer via said software agent 
program; and 

executing said intrusion detection software on said remote computer. 

3 1 . (original) The article of manufact\u*e of claim 30 fiirther comprising the step of: 
receiving notification of a network intrusion. 

32. (original) The article of manufacture of claim 3 1 fiirther comprising the step of 
selecting said remote computer from a plurality of eligible computers. 
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33. (original) The article of manufacture of claim 32 wherein said selecting step is 
accomplished based on a network map. 

34. (original) The article of manufacture of claim 32 wherein said selecting step is 
accomplished based on a knowledge base. 



35. (original) The article of manufacture of claim 30 wherein said request is verified using a 
cryptographic authentication scheme. 

36. (original) The article of manufacture of claim 30 wherein said request includes a stop 
condition indicating when to stop executing the intrusion detection software. 

37. (original) The article of manufacture of claim 36 wherein said stop condition is an 
expiration time. 

38. (original) The article of manufacture of claim 36 wherein said stop condition is based on 
network traffic conditions. 
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